CVE-2026-8428 Concrete CMS CVE debrief

Who should care

Administrators and security teams running Concrete CMS 9.5.0 or earlier, especially environments where authenticated users can access the dashboard update workflow.

Technical summary

According to the supplied description, the local_available_update.php view emits a token with $token->output('do_update'), but concrete/controllers/single_page/dashboard/system/update/update.php does not call $this->token->validate('do_update') in do_update(). That mismatch leaves the update action exposed to CSRF. The NVD record lists the issue with CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N and secondary weaknesses CWE-352 and CWE-829. The vulnerability is conditional on the victim passing canUpgrade() and on a valid update version being present under DIR_CORE_UPDATES.

Defensive priority

High. The issue can impact integrity and availability of the CMS update path, and it is reachable over the network with user interaction.

Recommended defensive actions

• Review the Concrete CMS update controller and ensure the do_update action validates the expected CSRF token before processing any update request.
• Upgrade to a vendor-fixed release if one is available in the referenced Concrete CMS release history.
• Restrict access to the dashboard and update functionality to trusted administrative users and networks.
• Monitor for unexpected update attempts or version changes in the CMS update logs and related audit trails.
• Verify that any deployed instance is not running 9.5.0 or earlier without the vendor patch applied.

Evidence notes

The supplied NVD record for CVE-2026-8428 states that the update form emits a token but the controller does not validate it, enabling CSRF against the core update action. NVD also references Concrete CMS 9.5.1 release notes as the product-linked source. The corpus provided here does not include the full release note text, so fix details beyond the CVE description are not asserted.

Official resources